GNUBoot/gnuboot
GNUBoot
/
gnuboot
mirror of https://git.savannah.gnu.org/git/gnuboot.git
2
1
Fork 0
Code Issues Releases Activity
gnuboot/site/docs/gnulinux/guix_system.md

371 lines
9.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Encrypted Guix GNU+Linux
x-toc-enable: true
...
Objective
=========
To provide step-by-step guide for setting up guix system (stand-alone guix)
with full disk encryption (including /boot) on devices powered by Libreboot.
Scope
=====
Any users, for their generalised use cases, need not stumble away from this
guide to accomplish the setup.
Advanced users, for deviant use cases, will have to explore outside this
guide for customisation; although this guide provides information that is
of paramount use.
Process
=======
Preparation
-----------
In your current GNU+Linux System, open terminal as root user.
Insert USB drive and get the USB device name /dev/sdX, where “X” is the
variable to make a note of.
lsblk
Unmount the USB drive just in case if its auto-mounted.
umount /dev/sdX
Download the latest (a.b.c) Guix System ISO Installer Package (sss) and
its GPG Signature; where “a.b.c” is the variable for version number and
“sss” is the variable for system architecture.
wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz
wget https://ftp.gnu.org/gnu/guix/guix-system-install-a.b.c.sss-linux.iso.xz.sig
Import required public key.
gpg --keyserver pool.sks-keyservers.net --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
Verify the GPG Signature of the downloaded package.
gpg --verify guix-system-install-a.b.c.sss-linux.iso.xz.sig
Extract the ISO Image from the downloaded package.
xz -d guix-system-install-a.b.c.sss-linux.iso.xz
Write the extracted ISO Image to the USB drive.
dd if=guix-system-install-a.b.c.sss-linux.iso of=/dev/sdX; sync
Reboot the device.
reboot
Pre-Installation
----------------
On reboot, as soon as you see the Libreboot Graphic Art, press arrow keys
to change the menu entry.
Choose “Search for GRUB2 configuration on external media [s]” and wait
for the Guix System from USB drive to load.
Set your keyboard layout lo, where “lo” is the two-letter keyboard layout
code (example: us or uk).
loadkeys lo
Unblock network interfaces (if any).
rfkill unblock all
Get the names of your network interfaces.
ifconfig -a
Bring your required network interface nwif (wired or wireless) up, where
“nwif” is the variable for interface name. For wired connections,
this should be enough.
ifconfig nwif up
For wireless connection, create a configuration file using text editor,
where “fname” is the variable for any desired filename.
nano fname.conf
Choose, type and save ONE of the following snippets, where nm is the
name of the network you want to connect, pw is the corresponding
networks password or passphrase and un is user identity.
For most private networks:
network={
ssid="nm"
key_mgmt=WPA-PSK
psk="pw"
}
(or)
For most public networks:
network={
ssid="nm"
key_mgmt=NONE
}
(or)
For most organisational networks:
network={
ssid="nm"
scan_ssid=1
key_mgmt=WPA-EAP
identity="un"
password="pw"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Connect to the configured network, where “fname” is the filename and
“nwif” is the network interface name.
wpa_supplicant -c fname.conf -i nwif -B
Assign an IP address to your network interface, where “nwif” is the
network interface name.
dhclient -v nwif
Obtain the device name /dev/sdX in which you would like to deploy and
install Guix System, where “X” is the variable to make a note of.
lsblk
Wipe the respective device. Wait for the command operation to finish.
dd if=/dev/urandom of=/dev/sdX; sync
Load device-mapper module in the current kernel.
modprobe dm_mod
Partition the respective device. Just do, GPT --> New --> Write --> Quit;
defaults will be set.
cfdisk /dev/sdX
Encrypt the respective partition.
cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat /dev/sdX1
Obtain and note down the “LUKS UUID”.
cryptsetup luksUUID /dev/sdX1
Open the respective encrypted partition, where “partname” is any
desired partition name.
cryptsetup luksOpen /dev/sdX1 partname
Make filesystem on the respective partition, where “fsname” is any
desired filesystem name.
mkfs.btrfs -L fsname /dev/mapper/partname
Mount the respective filesystem under the current system.
mount LABEL=fsname /mnt
Create a btrfs-supported NOCOW swap file with no compression and make it
readable cum writable only by root.
touch /mnt/swapfile`
chattr +C /mnt/swapfile`
btrfs property set /mnt/swapfile compression none`
dd if=/dev/zero of=/mnt/swapfile bs=1MiB count=2048
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile
Installation
------------
Make the installation packages to be written on the respective
mounted filesystem.
herd start cow-store /mnt
Create the required directory.
mkdir /mnt/etc
Create, edit and save the configuration file by typing the following
code snippet. WATCH-OUT for variables in the code snippet and
replace them with your relevant values.
nano /mnt/etc/config.scm
Snippet:
(use-modules
(gnu)
(gnu system nss))
(use-service-modules
xorg
desktop)
(use-package-modules
certs
gnome)
(operating-system
(host-name "hostname")
(timezone "Zone/SubZone")
(locale "ab_XY.1234")
(keyboard-layout
(keyboard-layout
"xy"
"altgr-intl"))
(bootloader
(bootloader-configuration
(bootloader
(bootloader
(inherit grub-bootloader)
(installer #~(const #t))))
(keyboard-layout keyboard-layout)))
(mapped-devices
(list
(mapped-device
(source
(uuid "luks-uuid"))
(target "partname")
(type luks-device-mapping))))
(file-systems
(append
(list
(file-system
(device
(file-system-label "fsname"))
(mount-point "/")
(type "btrfs")
(dependencies mapped-devices)))
%base-file-systems))
(users
(append
(list
(user-account
(name "username")
(comment "Full Name")
(group "users")
(supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "cdrom" "tape" "kvm"))))
%base-user-accounts))
(packages
(append
(list
nss-certs)
%base-packages))
(services
(append
(list
(extra-special-file "/usr/bin/env"
(file-append coreutils "/bin/env"))
(set-xorg-configuration
(xorg-configuration
(keyboard-layout keyboard-layout)))
(service gnome-desktop-service-type))
%desktop-services))
(name-service-switch %mdns-host-lookup-nss))
Initialise new Guix System.
guix system init /mnt/etc/config.scm /mnt
Reboot the device.
reboot
Post-Installation
------------
On reboot, as soon as you see the Libreboot Graphic Art, choose
the option 'Load Operating System [o]'
Enter LUKS Key, for Libreboot's grub, as prompted.
You may have to go through warning prompts by repeatedly
pressing the "enter/return" key.
You will now see guix's grub menu from which you can go with the
default option.
Enter LUKS Key again, for kernel, as prompted.
Upon GNOME Login Screen, login as "root" with password field empty.
Open terminal from the GNOME Dash.
Set passkey for "root" user. Follow the prompts.
passwd root
Set passkey for "username" user. Follow the prompts.
passwd username
Update the guix distribution. Wait for the process to finish.
guix pull
Update the search paths.
export PATH="$HOME/.config/guix/current/bin:$PATH"
export INFOPATH="$HOME/.config/guix/current/share/info:$INFOPATH"
Update the guix system. Wait for the process to finish.
guix system reconfigure /etc/config.scm
Reboot the device.
reboot
Conclusion
==========
Everything should be stream-lined from now. You can follow your
regular boot steps without requiring manual intervention. You can
start logging in as regualar user with the respective "username".
You will have to periodically (at your convenient time) login as root
and do the update/upgrade part of post-installation section, to keep your
guix distribution and guix system updated.
That is it! You have now setup guix system with full-disk encryption
on your device powered by Libreboot. Enjoy!
References
==========
[1] Guix Manual (http://guix.gnu.org/manual/en/).
Acknowledgements
================
[1] Thanks to Guix Developer, Clement Lassieur (clement@lassieur.org),
for helping me with the Guile Scheme Code for the Bootloader Configuration.
View Git Blame Copy Permalink